GNU bug report logs - #77478
Fixes a crash in the Haiku font driver for daemon mode

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 3 Apr 2025 06:55:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 03 02:55:52 2025
Received: from localhost ([127.0.0.1]:60637 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u0EUR-0005F8-80
	for submit <at> debbugs.gnu.org; Thu, 03 Apr 2025 02:55:52 -0400
Received: from lists.gnu.org ([2001:470:142::17]:51366)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <kyle@HIDDEN>)
 id 1u0E9V-00049q-N2
 for submit <at> debbugs.gnu.org; Thu, 03 Apr 2025 02:34:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kyle@HIDDEN>)
 id 1u0E9J-0006lg-8F
 for bug-gnu-emacs@HIDDEN; Thu, 03 Apr 2025 02:34:02 -0400
Received: from fout-a2-smtp.messagingengine.com ([103.168.172.145])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kyle@HIDDEN>)
 id 1u0E9G-0008Su-VH
 for bug-gnu-emacs@HIDDEN; Thu, 03 Apr 2025 02:34:01 -0400
Received: from phl-compute-05.internal (phl-compute-05.phl.internal
 [10.202.2.45])
 by mailfout.phl.internal (Postfix) with ESMTP id 1E3C413801AB;
 Thu,  3 Apr 2025 02:33:56 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
 by phl-compute-05.internal (MEProxy); Thu, 03 Apr 2025 02:33:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ambroffkao.com;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:message-id:mime-version:reply-to:subject:subject:to
 :to; s=fm3; t=1743662036; x=1743748436; bh=lVhTGT63UYM/6E2nNhNFX
 XHnXEWHja8xzNelD0FaGxE=; b=enm1e1zG52ywVF2K/D2/cM2s7QMQwJKjg1tm9
 vdHT34szhPsPWrNsGFKt4fmRk8RZryAopKUZBnYnKO6jZj2mJ4/wdckSYZ3XY7ip
 bluVq7V4okrFu9dJ9ilv8+tvLIaGoeWXGmMYBi0vS1cMbdjCYduzBMJnGkCic7P/
 MNjb8COPV3P1q6lP9TkrhwENKILaYYnafAWQMTvsmfesmyJ8gXqsmz/rqv3kyug9
 Q5h4BRVdFRIkfHgHxgh3mZGduDbuSVMNZqZC9hUuI/Itr4IoRySpL3epp8pFLLrR
 SrAqQA2uolujMTTrByUkJ3IX6bVLNammWo93QjyfsqrBZ/WUQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:message-id
 :mime-version:reply-to:subject:subject:to:to:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1743662036; x=
 1743748436; bh=lVhTGT63UYM/6E2nNhNFXXHnXEWHja8xzNelD0FaGxE=; b=v
 G2yY+FH7jRthGO6jZXMhzHFjgA0IOsT7GbkmbUVqBhZjKNSBMKYq28LiG9tl1Ud/
 vvudP97lvdo1B6Y+de+kLXh/8o8VqLZM0BqnEFTvGkX/NhV3NnmWplZyC5X84KWC
 SeI0b5k6VwHbUK/V8Yuz6aXQ5ie3qmDMcg4jzAX1LLJJkmLBWvEFwMqdAhXm4oXK
 A7fHfe2hIxnRzXLMqD6RhwPOv1z5w8LXz8aV+fuScU860abF7BYs6SHWrrC236L0
 jihDd48Uhbz80It5wTraW43GHCeMivl+4pXpUn+u+e2a5Vk0xaNq/WAVSf12kKYW
 GfkbYAFvKB81PS8/DSoPw==
X-ME-Sender: <xms:0yvuZ_dp9zyeqKdqo8oJfg17S_wXeOqSqf_8_HpBATFq9OgEel5ehg>
 <xme:0yvuZ1MkNmjGadvJiSysV0G-seLUwilg-2kFAjZ_hVeCEVoU-RrW0h2YXdcyWc7Xp
 GJPWWuM_aI_exfQMXk>
X-ME-Received: <xmr:0yvuZ4hhlHGe0kDzIBSCVjEXGNmVBDb3_LhXVhVfYVnxAQHFdE-Alcaf>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddukeejkeeiucetufdoteggodetrf
 dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
 pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf
 evufffkfggtgesmhdtreertddttdenucfhrhhomhepmfihlhgvucetmhgsrhhofhhfqdfm
 rghouceokhihlhgvsegrmhgsrhhofhhfkhgrohdrtghomheqnecuggftrfgrthhtvghrnh
 epffehleehheehffdvvefgledugeeijeetheffheeifefhveeiffdvueegueehfeeinecu
 vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepkhihlhgvse
 grmhgsrhhofhhfkhgrohdrtghomhdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhht
 phhouhhtpdhrtghpthhtohepkhihlhgvsegrmhgsrhhofhhfkhgrohdrtghomhdprhgtph
 htthhopegsuhhgqdhgnhhuqdgvmhgrtghssehgnhhurdhorhhg
X-ME-Proxy: <xmx:0yvuZw8jEcpZFDsorFEq9clBfKXS4iKmn24vUnMM-FGZIiB1wEeVrg>
 <xmx:0yvuZ7sr4_5s22VqRqoFgw5E87HzLa-JUKMLVbh0kNMR90d_H2ZEXA>
 <xmx:0yvuZ_E8TpsBpjxlA1BBFbV5CDN6Mp4v2alvQH1yaJGdxjvqMXjrcA>
 <xmx:0yvuZyMK2gkq9gQesuzXTVd7uBHWeCpoIjGMt9UY60a2iCqViAuVEA>
 <xmx:1CvuZ0PzoB5f4pDl0A3GNuOVWFbizu-LHvXpnKS7rS0Yge_MuG7dJLER>
Feedback-ID: id7114994:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 3 Apr 2025 02:33:55 -0400 (EDT)
From: Kyle Ambroff-Kao <kyle@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: Fixes a crash in the Haiku font driver for daemon mode
Date: Wed, 02 Apr 2025 23:33:54 -0700
Message-ID: <86cydtg3e5.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=103.168.172.145; envelope-from=kyle@HIDDEN;
 helo=fout-a2-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Thu, 03 Apr 2025 02:55:50 -0400
Cc: Kyle Ambroff-Kao <kyle@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

--=-=-=
Content-Type: text/plain

Tags: patch

Fix use-after-free bug in the Haiku font driver

* src/haikufont.c: Set objects freed with haikufont_close to NULL so
  they will not be reused, which seems to happen in daemon mode when all
  frames have been closed and fonts are garbage collected.

In GNU Emacs 30.1 (build 2, amd64-portbld-freebsd15.0, GTK+ Version
3.24.48, cairo version 1.18.2)
System Description: 15.0-CURRENT

Configured using:
 'configure --disable-build-details --localstatedir=/var --without-gconf
 --without-libsystemd --without-selinux --with-x --enable-acl
 --with-cairo --with-dbus --with-gif --with-gnutls --with-gsettings
 --with-x-toolkit=gtk3 --with-harfbuzz --with-jpeg
 --with-file-notification=kqueue --with-lcms2 --without-m17n-flt
 --without-imagemagick --with-mailutils --with-modules
 --with-native-compilation=aot --with-sound=oss --without-libotf
 --without-pgtk --with-png --with-toolkit-scroll-bars --with-sqlite3
 --with-rsvg --with-threads --with-tiff --with-tree-sitter --with-webp
 --without-xft --with-xim --with-xml2 --with-xpm --without-xwidgets
 --x-libraries=/usr/local/lib --x-includes=/usr/local/include
 --prefix=/usr/local --mandir=/usr/local/share/man
 --disable-silent-rules --infodir=/usr/local/share/emacs/info/
 --build=amd64-portbld-freebsd15.0 'CFLAGS=-O2 -pipe
 -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc13 -isystem
 /usr/local/include -fno-strict-aliasing ' 'CPPFLAGS=-isystem
 /usr/local/include' 'LDFLAGS= -fstack-protector-strong
 -Wl,-rpath=/usr/local/lib/gcc13 -L/usr/local/lib/gcc13 -L/usr/local/lib
 ''


--=-=-=
Content-Type: text/patch
Content-Disposition: attachment; filename=haiku-font-double-free.diff

commit 05846e17841fce3dbbb8e15fe11d38fe44b3e5e5
Author: Kyle Ambroff-Kao <kyle@HIDDEN>
Date:   Wed Apr 2 22:34:26 2025 -0700

    Fix use-after-free bug in the Haiku font driver
    
    This fixes a bug in Emacs daemon mode on Haiku. To reproduce:
    
    1. Start emacs with "emacs --daemon"
    2. Create a new frame with "emacsclient -c" and then close it.
    3. Create a new frame with "emacsclient -c"
    
    Step 3 will cause the Emacs daemon to crash.
    
      KERN: debug_server: Thread 3616 entered the debugger: Debugger call:
      `tried to free 0xb960bc9fd0 which points at page 232 which is not an
      allocation first page'
    
    The backtrace from Emacs:
       heap_free(void*) + 0x35
       BFont_close + 0x4d
       haikufont_close(font*) + 0x29 (/Code/emacs/src/haikufont.c:893)
       sweep_vectors(void) + 0x1af (/Code/emacs/src/alloc.c:3242)
       garbage_collect(void) + 0x7b3 (/Code/emacs/src/alloc.c:7247)
       Ffuncall(ptrdiff_t, Lisp_Object*) + 0x194 (/Code/emacs/src/eval.c:3084)
       internal_condition_case_n(*, ptrdiff_t, Lisp_Object*, Lisp_Object, *)
       + 0x6c (/Code/emacs/src/eval.c:1699)
       safe_funcall(ptrdiff_t, Lisp_Object*) + 0x50 (/Code/emacs/src/eval.c:3114)
       map_keymap_canonical(Lisp_Object,map_keymap_function_t,Lisp_Object,void*)
       + 0x2b (/Code/emacs/src/keymap.c:608)
       ...
    
    It appears that the BFont has already been closed. I think that the
    driver is holding on to the pointer to the freed BFont
    (into->be_font). This patch addresses this by setting be_font to NULL so
    that this pointer will not be freed again.
    
    The same thing applies to info->metrics and info->glyphs, since just
    making this change to be_font wasn't enough to avoid crashes.
    
    With this patch I can open and close as many frames as I want without
    crashing.
    
    I don't totally understand the interactions here, and I see there are
    similar bugs in other font drivers with different workarounds. For
    example, in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=16069 which I
    found from xfont.c:xfont_close, it seems like there is an attempt to
    just not free the fonts when GC is invoked.
    
    I think the solution in this patch seems a little simpler, but possibly
    means that the fonts are initialized every time the frame count goes
    from 0 to 1 or more instead of just once for the life of the daemon.

diff --git a/src/haikufont.c b/src/haikufont.c
index 7522b92207fa..72dfcc4aa3bf 100644
--- a/src/haikufont.c
+++ b/src/haikufont.c
@@ -890,25 +890,45 @@ haikufont_close (struct font *font)
     return;
 
   block_input ();
-  if (info && info->be_font)
-    BFont_close (info->be_font);
 
-  for (i = 0; i < info->metrics_nrows; i++)
+  if (info)
     {
-      if (info->metrics[i])
-	xfree (info->metrics[i]);
+      if (info->be_font)
+        {
+          BFont_close (info->be_font);
+          info->be_font = NULL;
+        }
+
+      if (info->metrics)
+        {
+          for (i = 0; i < info->metrics_nrows; i++)
+            {
+              if (info->metrics[i])
+                {
+                  xfree (info->metrics[i]);
+                  info->metrics[i] = NULL;
+                }
+            }
+
+          xfree (info->metrics);
+          info->metrics = NULL;
+        }
+
+      if (info->glyphs)
+        {
+          for (i = 0; i < 0x100; ++i)
+            {
+              if (info->glyphs[i])
+                {
+                  xfree (info->glyphs[i]);
+                }
+            }
+
+          xfree (info->glyphs);
+          info->glyphs = NULL;
+        }
     }
 
-  if (info->metrics)
-    xfree (info->metrics);
-
-  for (i = 0; i < 0x100; ++i)
-    {
-      if (info->glyphs[i])
-	xfree (info->glyphs[i]);
-    }
-
-  xfree (info->glyphs);
   unblock_input ();
 }
 

--=-=-=--